Analysis
-
max time kernel
105s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:27
Behavioral task
behavioral1
Sample
2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
-
Size
10.9MB
-
MD5
03c8fee8e519f4ba8b345d1911159d21
-
SHA1
28f90a564378918be6bf6bbe2058145680a18f90
-
SHA256
6dce3bb278d52d294092c3cfe6511a2505c659fbe0377f673548ff1478fc853c
-
SHA512
d6349112d7201e38ead7137e73d61249e6347231cc3c271c11e13b207d2f47b5a7c1a6c2e8d1fe8fa9a27ce9664ef416e3512fcaf85d50238bdd4a33ccbd0fe8
-
SSDEEP
196608:M4E+vucfurHmiTucW209IxL5wnm8NlOQPAv2j5jzvVZFtH:o+XfuCiTnU9IxL98Skjzv7
Malware Config
Signatures
-
Loads dropped DLL 10 IoCs
pid Process 2600 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 2600 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 2600 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 2600 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 2600 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 2600 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 2600 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 2600 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 2600 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 2600 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\_MEI49442\\trollface.png" 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\Desktop\TileWallpaper = "0" 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4308 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4308 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4944 wrote to memory of 2600 4944 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 87 PID 4944 wrote to memory of 2600 4944 2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-03_03c8fee8e519f4ba8b345d1911159d21_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe"2⤵
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:2600
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x320 0x3a01⤵
- Suspicious use of AdjustPrivilegeToken
PID:4308
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117KB
MD532da96115c9d783a0769312c0482a62d
SHA12ea840a5faa87a2fe8d7e5cb4367f2418077d66b
SHA256052ad6a20d375957e82aa6a3c441ea548d89be0981516ca7eb306e063d5027f4
SHA512616c78b4a24761d4640ae2377b873f7779322ef7bc26f8de7da0d880b227c577ed6f5ed794fc733468477b2fcdb7916def250e5dc63e79257616f99768419087
-
Filesize
48KB
MD5c0c0b4c611561f94798b62eb43097722
SHA1523f515eed3af6d50e57a3eaeb906f4ccc1865fe
SHA2566a99bc0128e0c7d6cbbf615fcc26909565e17d4ca3451b97f8987f9c6acbc6c8
SHA51235db454dbcc7ed89842c0440b92ce0b0b0db41dbd5432a36a0b7e1eddf51704b1f0d6cff5e3a3b0c3ff5db3d8632fed000471180ad72e39d8dbe68a757ccdfb0
-
Filesize
84KB
MD551ca0713f8fd5f142625a44df7ed7100
SHA1a8ca5b3fe2fb79a0ccaa2816642097b57c5d70a0
SHA2568768315b1e0e81ccd0d96c3d6a863803f5dd1de6af849285c439d61abd32b647
SHA5121d36249c4bd0533effba35290ce0f719e075994787a68e622dac39a0e4d237dc1382e13e536cfd3add36bb24f8e612e040c64c738a5394c52145dd8291420d61
-
Filesize
129KB
MD5429cb0177d5ab205f289d0cc830549ff
SHA121f749279ee95ed458e73463f7f845e9f54d0ab2
SHA2566e804ed42cca2eb401a896fe9542201d4d77df22acbd935a3c56dc68530dae33
SHA512eb309a531f110a01e0956a18d7b71d81591e8b6bc546bc8374d9d86e1afa1385afb4ea829160f3bf28faeefff42d730db06e06f4d2b5d994a6c694889cf22cf2
-
Filesize
274KB
MD5584652f877074fe71d7b1f8eea1f849e
SHA1fef33b2edf0ff33e68206705f6f3f8fbcc1179bd
SHA256e0f93185cd64f1db3b9d1d20d620a691c5c453094b14d3b2ba2837f908f13304
SHA512618499953b3b5b955eb4f361570c45655516a66593415e5a3c004139a8ca7af8168b1abe000efe401bb0ff9bc18bfe2345f80f7eb7bbde54986b9bd080457ecd
-
Filesize
68KB
MD5692837eb1fcb73ef33a1474b18dfc7cd
SHA1515fe13d2a15fab844584d9cba6f545b6c6b118b
SHA256d674d53f7e2f906fbaf0d19ab871f9cff53956d40b3ce003a2b4b44b549d4b92
SHA5124d38a68b6119783c5e625797461b6e5a21b876305c66cfbcbbaf7f6fac7446848963d2c241c690dbba7685aee0a09530ceeb5ec82f53c8f0e39d84e0063e25c5
-
Filesize
156KB
MD50d549f688e0b2424b549afcac58d5fa7
SHA14a9a6ec353ebc3e6dace80c9430318589cf16a4e
SHA25680df30ed0f2c532c07ea7fdc44836e40a8ebd9e7611365a1a26989147e1a4210
SHA5125faa4d456de3da1dfa996dea895ad298dad038ae82411aa1fb6dfdaa3d1f8883c02482e3e8c01faa4258d4cc84e42bd1f0e743f97f20c23ace6b13d739c5a5c2
-
Filesize
83KB
MD51ad8628499a107382153348a14a1dfc7
SHA187b9900e38212bda27e3c43898e6ee937510cf27
SHA2567a20fe96274f554cc527c65f42a8de9cf0c201852bedddc12e44d9106bab728f
SHA512e321dd917d3891359dff6b86e6bcb44cd931efc22a2e3bb763263187b52b5d0336daeab0ec1c09defe49970dc25071387b3d60e928f32107790c84fec9255a09
-
Filesize
176KB
MD56e6e510e8fa4555c9fd671981bbe513a
SHA1f6bd718482717461378c6a7b15c3071eef9e7ad2
SHA256cc5c21c1b5a8890d2bb14fd5cfab5114d2b427e17dcc567578ebb3f7d4b014e8
SHA51214c98babec9b6cdd6979db075bcdc7d5aea6e7f12d5d3cde078066b89f8e23d2158e90d852f892d034afa0163969c8baff31daa3449c67c7b6e4e9262e429dba
-
Filesize
39KB
MD5d83b0df3376afa1414f3c8a56c7a592a
SHA1f157d71d956251123aa81c0e25754745c232ba13
SHA256486fc63bfba93239e59c167329908eb6d213a1a3903a73a2ee4c10405d87464b
SHA5127b2bc73f371424a32c70ee2b75394202233b9e2a54fb2c289346ae3a277a8de2ec800dee071759a4bfd72d71edd6e658667b5643cb0b462158a8e0b998ab6ae3
-
Filesize
1.3MB
MD56eaaedfcb46b0d67a5202b941b24bb24
SHA180c6ec92e99e06865b21a61280b3b1acb7ea7cfe
SHA256f96e2accc2f18c93ebb88e46b275a5d5b7b99ab744097f4e9ae8a04766f98d57
SHA512f66abd3bdf296b01014aa4e8acbdfc53994798f43c8e3a61a9dc85b9e8adadde582d056977db569d2cb2a9b22e32af6b915b130c78684156d215c70dcb989090
-
Filesize
5.0MB
MD5ae5b2e9a3410839b31938f24b6fc5cd8
SHA19f9a14efc15c904f408a0d364d55a144427e4949
SHA256ccfffddcd3defb8d899026298af9af43bc186130f8483d77e97c93233d5f27d7
SHA51236ea760a7b56ea74174882155eddfb8726828240fcfc6b34d90ecdb7e50a7e632374dcbc9b2889081c0973cc51f50967e7d692498c4abd1f2cba3f7fe8d659cc
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
776KB
MD58d4805f0651186046c48d3e2356623db
SHA118c27c000384418abcf9c88a72f3d55d83beda91
SHA256007142039f04d04e0ed607bda53de095e5bc6a8a10d26ecedde94ea7d2d7eefe
SHA5121c4895d912f7085d6e46f6776034c9e3d8d7bf934be858683bf6dedb13abca360ba816d8a5528ec7a3ac6e33010fdb6fc89b2699b5cfeedaabfdd5df143dffd1
-
Filesize
3.2MB
MD5100115cb602884c42ebbd988e4eba76c
SHA14d0dab51ece4df563c30033f6f0d00d3e733c74a
SHA2560ee77d53f313bc8e253dfac2a0f8b3aa12a7e096f747341e12ff504d3a2a6a9b
SHA512144f2cae817b6f2a5c0698beca8e13084a49a2f17205ef0b6067aaed488ba4019d412353bbd63785a51ff64915164d08a75f2fcf39ea18d6d970d3107c85c6ca
-
Filesize
5.8MB
MD5ad29d9424e5666d6637452a5ccf2ded0
SHA166bfc0d93ac097257925ca02afbb757506ed12a3
SHA256941e773568d36cc598ee837a489fd4c44474a6574075e1cf156100bd83f22379
SHA512f5287437b8fa36d334cdd282297081ee5acad35059e8c28b42e269b6b67a2f5eeff4f602f47224ce626c21391051ed8f8dd95a7ccec26db6d7cf3b0870b39528
-
Filesize
32KB
MD50d9fba0fe756bf147bf203a8d6e6ef68
SHA1cd02d0a644a192b898a2cd85fd0d7a1b6a8b4dea
SHA2564ad2692a4566175f5def440a45eee2382f72a70a46a60a63e0829a4a5e31c1ec
SHA5126a38ca8de97182dd6efff4cfebd8b768fed54ae330cd792296446c46cfb629cffa8a0b6740c8e0a481512e5307b98912a9a77febb64f44657c900602b37fc7d2
-
Filesize
102KB
MD5556d8192dfaa7ae79c9f1351186f3dbf
SHA19f4ca1cd7b1dbc3cb6e4a07851ece27fa2ed38f3
SHA256d67213a01bf3aa94ed86498342b1b72aff0d944a7220358387132ad5168d603a
SHA51209969d5660f3f10c2dc34804e971a66f4328cdef4563dcc7d47d735a4a87a48d947a604be7478b6f25071c5bbd8030bed371b2f6c60ce50acabc6bb3d4950300
-
Filesize
695KB
MD58fbf78ef18630a50809af155f66bc9fa
SHA194ee987780d711d0df8dbd620ff67729967086f4
SHA2561056a954080af0798df9bb00e5715892936d510239f3ba830014d25c69c8df83
SHA512c24214ca60c8470a2fe3b9f1f713a7f0053e304fe7f2d2b365c5bf7389a75f11de5ae5285464b40315487be99ac326ac0fa5b0a3d7fa3f3393900ce1d82ab64b